410 likes | 512 Views
Wireless Security By Neeraj Poddar Advanced Cryptography . 04/14/2011. A Little Background . The IEEE 802.11 wireless LAN standard was established in 1989 and was originally intended to seek a wireless equivalent to Ethernet. Wide spread popularity in recent years.
E N D
Wireless SecurityByNeeraj PoddarAdvanced Cryptography 04/14/2011
A Little Background • The IEEE 802.11 wireless LAN standard was established in 1989 and was originally intended to seek a wireless equivalent to Ethernet. • Wide spread popularity in recent years. • Major difference between wired and wireless networks is access to the transmitted data. • From the initial development stages of wireless technologies experts knew that security would be a major issue that needed to be solved in order for this technology to be able to overtake the place of wired networks.
Security Concerns • Wireless security is a major demand in the secure datatransferring services. • Accidental association • Malicious association • Non-traditional networks • Identity theft (MAC spoofing) • Man-in-the-middle attacks • Denial of service • Network injection
Security Measures • In WLANs, privacy is achieved by data contents protection with encryption. • There have been three major generations of security approaches, which is mentioned below: • WEP (Wired Equivalent Privacy) • WPA (Wi-Fi Protected Access) • WPA2/802.11i (Wi-Fa Protection Access, Version 2) • Each of these protocols has two generations named as personal and enterprise.
WEP • WEP’s security goals are :- • Access control: protecting the wireless network from unauthorized access. • Confidentiality: to prevent eavesdropping. • Data integrity: to prevent tampering with transmitted messages.
WEP Algorithm • WEP uses RC4 algorithm for encryption and key stream generation. • Sender side: • The secret key used in WEP algorithm is 40-bit long is concatenated with a 24-bit Initialization Vector (IV) for acting as the encryption/decryption key. • The resulting key acts as the seed for a Pseudo-Random Number Generator (PRNG). • The plaintext input in a integrity algorithm and concatenate by the plaintext again. • The result of key sequence and ICV will go to RC4 algorithm. • A final encrypted message is made by attaching the IV in front of the Cipher text.
Recipient Side • WEP uses five operations to decrypt the received (IV + Cipher text). • The Pre-Shared Key and IV concatenated to make a secret key. • The Cipher text and Secret Key go to in CR4 algorithm and a plaintext come as a result. • The ICV and plaintext will separate. • The plaintext goes to Integrity Algorithm to make a new ICV (ICV’). • Finally the new ICV (ICV‘)compare with original ICV.
Initialization Vector (IV) • Random bits whose size depends on the encryption algorithm and is normally as large as the block size of the cipher or as large as the Secret key. • The IV must be known to the recipient of the encrypted information to be able to decrypt it. • WEP algorithm does this by transmitting the IV along with the packet. • In WEP for two different lengths (64, 128 bit) of keys IV is 24-bit.
Pre-Shared Key • Simple 5- or 13-character password that is shared between the access point and all wireless network users. • For the 64-bit key the length of secret key is 40 bits and for 128-bit key the length is 104 bits.
PRNG • WEP defines a method to create a unique secret key for each packet using the 5- or 13-characters of the pre-shared key and three more pseudo-randomly selected characters picked by the wireless hardware (IV). • For example, our Pre-shared key is "ARASH". This word would then be merged with "AHL" as IV to create a secret key of "AHLARASH", which would be used in encryption operations of packet. • The next packet would still use "ARASH", but concatenate it this time with "ARA" to create a new secret key of "ARAARASH". • This process would randomly continue during the transmission of data.
ICV & Integrity Algorithm (CRC-32): • Is one of hashing algorithm and it is abbreviation of "Cyclic Redundancy Code". • The "CRC" term is reserved for algorithms that are based on the "polynomial" division idea. • Take the data as a VERY long binary number and divide it by a constant divisor.
RC4: • RC4 is not specific to WEP; it is a random generator, also known as a key stream generator or a stream cipher.
WEP Problems • Size of IV is short and will be reused. • Regardless of the key size, 24-bit long of WEP’s IV can only provide 16,777,216 different RC4 cipher streams for a given WEP key. • If the RC4 cipher stream for a given IV is found, an attacker can decrypt subsequent packets that were encrypted with the same IV or can forge packets. • If a hacker collects enough frames based on the same IV, the individual can determine the shared values among them, i.e., the key stream or the shared secret key.
Key management • Is a major issue and key updating mechanism is poor. • Most wireless networks that use WEP have one single WEP key shared between every node on the network. • Since synchronizing the change of keys is difficult, network administrators must personally visit each wireless device in use and manually enter the appropriate WEP key. • Result is key rarely changed by the system administrators.
Issues with RC-4 Algorithm • Weak keys, meaning that there is more correlation between the key and the output. • The first three bytes of the key are taken from the IV that is sent unencrypted in each packet which can be used to find weak keys. • Out of the 16 million IV values available, about 9,000 are interesting. • The attacker captures "interesting packets" filtering for IVs that suggest weak keys. • Because all original IP packets start with a known value, it’s easy to know when he/she has the right key. • To determine a 104-bit WEP key, he/she has to capture between 2,000 and 4,000 interesting packets.
Forging of Authentication Messages • Two types of authentication: Open System and Shared Key authentication. • Turning on authentication with WEP reduced the security. • Shared Key authentication involves demonstrating the knowledge of the shared WEP key by encrypting a challenge. • Any monitoring attacker can observe the challenge and the encrypted response. • From those, then can determine the RC4 stream used to encrypt the response. • The attacker can later forge an authentication.
Other security concerns in WEP • WEP does not prevent replay attacks. • An attacker can simply record and replay packets as desired and they will be accepted as legitimate. • WEP allows an attacker to undetectably modify a message without knowing the encryption key. (Weakness in CRC)
Enhancements over WEP • Improved data encryption (TKIP) • Temporal Key Integrity Protocol (TKIP) using a hashing algorithm and, by adding an integrity-checking feature, ensures that the keys haven’t been tampered with. • It is an alternative to WEP that fixes all the security problems and does not require new hardware.
TKIP • Like WEP, TKIP uses the RC4 stream cipher as the encryption and decryption processes and all involved parties must share the same secret key. • This secret key must be 128 bits and is called the "Temporal Key" (TK). • TKIP also uses an Initialization Vector (IV) of 48-bit and uses it as a counter. • Even if the TK is shared, all involved parties generate a different RC4 key stream. • Since the communication participants perform a 2-phase generation of a unique "Per-Packet Key" (PPK) that is used as the key for the RC4 key stream.
TKIP New Features • TKIP adds four new algorithms to WEP: • A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries • A new IV sequencing discipline, to remove replay attacks from the attacker’s arsenal. • A per-packet key mixing function, to de-correlate the public IVs from weak keys • A re-keying mechanism, to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.
MIC or Michael • Michael is the name of the TKIP message integrity code. • New MIC designed that has 64-bits length and represented as two 32-bit little- Endian words (K0,K1) • The Michael function first pads a message with the hexadecimal value 0x5a and enough zero • pad to bring the total message length to a multiple of 32-bits. • Then partitions the result into a sequence of 32-bit words M1 M2… Mn, and finally computes the tag from the key and the message words using a simple iterative structure:
MIC Contd.. • (L,R) ← (K0,K1) • do i from 1 to n • L←L XOR Mi • (L,R)← Swap(L,R) • return (L,R) as the tag
New IV sequencing • To defeat replays, TKIP reuses the WEP IV field as a packet sequence number. • Both transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set. • Transmitter increments the sequence number with each packet it sends. • TKIP requires the receiver to enforce proper IV sequencing of arriving packets.
Key Mixing • WEP constructs a per-packet RC4 key by concatenating a base key and the packet IV. • The new per-packet key is called the TKIP key mixing function. • It substitutes a temporal key for the WEP base key and constructs the WEP per-packet key in a novel fashion. • The mixing function operates in two phases.
Phase 1 • It eliminates the same key from use by all links. • It combines the 802 MAC addresses of the local wireless interface and the temporal key by iteratively XORing each of their bytes to index into an S-box, to produce an intermediate key. • The Phase 1 intermediate key must be computed only when the temporal key is updated. • Most implementations cache its value as a performance optimization.
Phase 2 • It de-correlates the public IV from known the per-packet key. • Uses a tiny cipher to encrypt the packet sequence number under the intermediate key, producing a 128-bit per-packet key. • This design accomplishes the second mixing function design goal. • Making it difficult for a rival to be connected to IVs and per-packet keys.
Rekeying or Defeating key collision attacks: • Rekeying delivers the fresh keys consumed by the various TKIP algorithms. • There are three key types: temporal keys, encryption keys and master keys. • Occupying the lowest level of the hierarchy are the temporal keys consumed by the TKIP privacy and authentication algorithms proper. • TKIP employs a pair of temporal key types: a 128-bit encryption key, and a second 64-bit key for data integrity. • TKIP uses a separate pair of temporal keys in each direction of an association. • Each association has two pairs of keys, for a total of four temporal keys
WPA • Personal WPA or WPA-PSK (Key Pre-Shared) that use for small office and home for domestic use authentication which does not use an authentication server and the data cryptography key can go up to 256 bits. • Enterprise WPA or Commercial that the authentication is made by an authentication server 802.1x, generating an excellent control and security in the users' traffic of the wireless network.
WPA Enterprise • WPA uses 802.1X+EAP for authentication. • Replaces WEP with the more advanced TKIP encryption • No preshared key is used here, but you will need a RADIUS server. • Remote Authentication Dial In User Service (RADIUS)
WPA2 • WPA2 was designed as a future-proof solution based on lessons learned by WEP implementers. • One of the most significant improvement is encryption algorithm which uses Advanced Encryption Standard (AES). • In particular it uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol.
Conclusion • Wireless Security issues • WEP algorithm • WEP Weakness • WEP Improvements • TKIP • WPA • WPA2 • Security impact on bandwidth
References • Lashkari, A.H.; Towhidi, F.; Hosseini, R.S.; , "Wired Equivalent Privacy (WEP)," Future Computer and Communication, 2009. ICFCC 2009. International Conference on , vol., no., pp.492-495, 3-5 April 2009 • ArashHabibiLashkari, Mir Mohammad SeyedDanesh, BehrangSamadi, "A survey on wireless security protocols (WEP, WPA and WPA2/802.11i)," iccsit, pp.48-52, 2009 2nd IEEE International Conference on Computer Science and Information Technology, 200 • Ying Wang; Zhigang Jin; Ximan Zhao; , "Practical Defense against WEP and WPA-PSK Attack for WLAN," Wireless Communications Networking and Mobile Computing (WiCOM), 2010 6th International Conference on , vol., no., pp.1-4, 23-25 Sept. 2010 • Boland, H.; Mousavi, H.; "Security issues of the IEEE 802.11b wireless LAN," Electrical and Computer Engineering, 2004. Canadian Conference on , vol.1, no., pp. 333- 336 • Emilio J.M. Arruda Filho , Paulo N. L. Fonseca Jr.%, Mairio J. S. Leitdo and Paulo S. F. De: “Security versus Bandwidth: The Support of Mechanisms WEP e WPA in 802.11g Network”